BIOMETRIC TEMPLATE SECURITY: CHALLENGES AND ...

StoredTemplates3. OverrideFeature Extractor7. Interceptthe Channel6. ModifyTemplateSensorFeatureExtractorMatcherYes/NoApplication Device(e.g.,cash dispenser)1. FakeBiometric2. ReplayOld Data4. SynthesizedFeature Vector5. OverrideMatcher8. Override Final DecisionFigure 1: Vulnerabilities in a biometric system (adapted from [4]).output by the biometric system may be overridden.The UK Biometric Working Group (UK-BWG) lists severalfactors that can affect the integrity of the template [5]: (i)accidental template corruption due to a system malfunctionsuch as a hardware failure, (ii) deliberate alteration of an enrolledtemplate by an attacker, and (iii) substitution of a validtemplate with a bogus template for the purpose of deterringsystem functionality.In this paper, we discuss several issues related to templatesecurity. Specifically, we examine some of the attacks thatcan be used to compromise template information. Then, weanalyze possible solutions to alleviate this problem.2. COMPROMISING TEMPLATE INFORMATIONA template represents a set of salient features that summarizesthe biometric data (signal) of an individual. Due toits compact nature, it is commonly assumed that the templatecannot be used to elicit complete information aboutthe original biometric signal. Furthermore, since the templatesare typically stored in an encrypted form, it is substantiallydifficult to decrypt and determine the contents ofthe stored template (without the knowledge of correct decryptingkeys). Thus, traditionally, template-generating algorithmshave been viewed as one-way algorithms. However,in the recent literature there have been techniques presentedthat contradict these assumptions.Adler [6] demonstrated that a face image can be regeneratedfrom a face template using a “Hill Climbing Attack”(attack level 2 in Figure 1). He employed an iterative schemeto reconstruct a face image using a face verification systemthat releases match scores. The algorithm first selects an estimateof the target face from a local database comprisingof a few frontal images by observing the match score correspondingto each image. An eigen-face (computed from thelocal database) scaled by 6 different constants is added to thisinitial estimate resulting in a set of 6 modified face imageswhich are then presented to the verification system. The imageresulting in an improved match score is retained and thisprocess is repeated in an iterative fashion. Within a few thousanditerations, an image that can successfully masquerade asthe target face image is generated. The important feature ofthis algorithm is that it does not require any knowledge ofeither the matching technique or the structure of the templateused by the authentication system. Furthermore, templateencryption does not prevent this algorithm from successfullydetermining the original face image. The algorithm was ableto “break” three commercial face recognition systems.Uludag and Jain [3] devised a synthetic template generator(STG) that also uses the “Hill Climbing Attack” (attacklevel 4 in Figure 1) to determine the contents of a target fingerprinttemplate (D i ) for the i th user (see Figure 2). Theminutiae template is assumed to be a sequence of (r,c,q) valuesrepresenting the location and orientation of componentfingerprint minutiae. The STG begins by generating a fixednumber of synthetic templates each comprising of randomlygenerated minutiae points. These templates are comparedagainst the target template in the database (via the matcher)and the synthetic template resulting in the best match scoreis retained. The retained template is then modified iterativelyvia the following four operations: (i) the r, c and qvalues of an existing minutia are perturbed, (ii) an existingminutia is replaced with a new minutia, (iii) a new minutiais added to the template, and (iv) an existing minutia isdeleted. The modified template (T j i ) is compared against thetarget template and the match score (S(D i ,T j i )) computed.This process, viz., modifying the current synthetic templateand comparing it against the target template, is repeated untilthe match score exceeds a pre-determined threshold. The authorsused this scheme to break into 160 fingerprint accounts;their algorithm required only 271 iterations, on an average,to exceed the matching threshold for each one of those 160accounts.Hill [7] describes a masquerade attack wherein the fingerprintstructure is determined using the minutiae templatealone (attack level 7 in Figure 1). It is assumed that eachminutia point is characterized using its 2D location, orientationand the curvature of the ridge associated with it. Basedon minutiae points, the author predicts the shape of the fingerprint(i.e., its class) using a neural network classifier consistingof 23 input neurons, 13 hidden neurons and 4 outputneurons (corresponding to 4 fingerprint classes). However,

SyntheticTemplateGeneratorAttackModuleAttackingSystemjiTemplateDatabaseD iTFingerprintS( Di, Ti)MatcherTarget SystemjTo othermodulesFigure 2: Algorithm to synthesize minutiae templates [3].the classification performance is rather low (an error rate of28.9% on a small set of 242 fingerprints). The author thenuses a generic orientation map and the minutiae informationto generate line drawings that are a digital artefact of the originalfingerprint. The proposed technique is observed to workon a database of 25 fingerprints from arch class.Ross et al. [8] propose another technique to elicit the fingerprintstructure from the minutiae template (attack level 7in Figure 1). Each minutia is assumed to be represented byits 2D spatial location and its local orientation. The authorsidentify minutia triplets which are used to estimate the underlyingorientation map. The estimated orientation map isobserved to be remarkably consistent with the flow of ridgesin the original (unseen) parent fingerprint. Furthermore, theyuse a set of 11 features derived from the minutiae points topredict the class of the fingerprint. A 5 Nearest-Neighborclassifier is used to classify the minutiae set of a fingerprintinto one of four classes. Their classification experiment conductedon a dataset of 2200 fingerprints exhibits an error rateof 18%. Finally, they use Gabor-like filters (suggested byCappelli et al. [9]) to generate fingerprints based on the orientationmap (Figure 3).(a) (b) (c)Figure 3: Reconstructing fingerprints [8]: (a) Minutiae distributionof a fingerprint image, (b) predicted orientation map,(c) reconstructed fingerprint.Besides these types of attacks, an intruder may alter thecontents of a template in order to deter a legitimate user frombeing successfully verified (attack level 6 in Figure 1).3. PROTECTING BIOMETRIC TEMPLATESSeveral methods have been suggested in the literature to protectbiometric templates from revealing important information.In order to prevent the Hill-Climbing Attack from successfullyconverging, Soutar [10] has suggested the use ofcoarsely quantized match scores by the matcher. However,Adler [11] demonstrated that it is still possible to estimatethe unknown enrolled image although the number of iterationsrequired to converge is significantly higher now.Yeung and Pankanti [12] describe an invisible fragile watermarkingtechnique to detect regions in a fingerprint imagethat have been tampered by an attacker. In the proposedscheme, a chaotic mixing procedure is employed to transforma visually perceptible watermark to a random-lookingtextured image in order to make it resilient against attacks.This “mixed” image is then embedded in a fingerprint image.The authors show that the presence of the watermarkdoes not affect the feature extraction process. The use of awatermark also imparts copyright capability by identifyingthe origin of the raw fingerprint image.Jain and Uludag [13] suggest the use of steganographyprinciples to hide biometric data (e.g., fingerprint minutiae)in host images (e.g., faces). This is particularly useful in distributedsystems where the raw biometric data may have to betransmitted over a non-secure communication channel. Embeddingbiometric data in an innocuous host image preventsan eavesdropper from accessing sensitive template information.The authors also discuss a novel application whereinthe facial features of a user (i.e., eigen-coefficients) are embeddedin a host fingerprint image (of the user). In this scenario,the watermarked fingerprint image of a person maybe stored in a smart card issued to that person. At an accesscontrol site, the fingerprint of the person possessing thecard will first be compared with the fingerprint present in thesmart card. The eigen-coefficients hidden in the fingerprintimage can then be used to reconstruct the user’s face therebyserving as a second source of authentication.Ferri et al. [14] propose an algorithm to embed dynamicsignature features into face images present on IDcards. These features are transformed into a binary streamafter compression (used in order to decrease the amount ofpayload data). A computer-generated hologram converts thisstream into the data that is finally embedded in the bluechannelof a face image. During verification, the signaturefeatures hidden in the face image are recovered and comparedagainst the signature obtained on-line. Ferri et al. [14]report that any modification of the face image can be detected,thereby disallowing the use of fake ID cards.Since the biometric trait of a person cannot be easily replaced(unlike passwords and PINs), a compromised templatewould mean the loss of a user’s identity. Ratha et al.[15] propose the use of distortion functions to generate biometricdata that can be canceled if necessary. They use anon-invertible transformation function that distorts the inputbiometric signal (e.g., face image) prior to feature extractionor, alternately, modifies the extracted feature set (e.g., minutiaepoints) itself. When a stored template is compromised,then the current transformation function is replaced with anew function thereby “canceling” the current (compromised)template and generating a new one. This also permits theuse of the same biometric trait in several different applicationsby merely adopting an application-specific transforma-

tion function. However, it is not clear how matching can beaccomplished in the transformed domain.In the realm of template transformation, the so-calledbiometric cryptosystems are gaining popularity (for a surveyon existing techniques, see [16]). These systems combinebiometrics and cryptography at a level that allows biometricmatching to effectively take place in the cryptographic domain,hence exploiting the associated higher security. Forexample, Uludag et al. [17] convert fingerprint templates(minutiae data) into point lists in 2D space, which implicitlyhide a given secret (e.g., a 128-bit key). The list doesnot reveal the template data, since it is augmented with chaffpoints to increase security. The template data is identifiedonly when matching minutiae data from an input fingerprintis available. The system is observed to operate at a GenuineAccept Rate (GAR) of 76% with no false accepts on adatabase comprising of 229 users.Although several techniques have been proposed to enhancethe security of a user’s template, government regulationswill also have to be established in order to address theissue of template privacy. For example, issues related to thesharing of biometric templates across agencies (e.g., medicalcompanies and law-enforcement agencies) and the inferringof personal information about an enrolled user from biometricdata (e.g., “Is this person prone to diabetes?”) have to becountered by establishing an appropriate legal framework.4. SUMMARY AND CONCLUSIONSWe have discussed various types of attacks that can belaunched against a biometric system. We have specificallyhighlighted techniques that can be used to elicit the contentsof a biometric template thereby compromising privilegedinformation. We discuss the importance of adoptingwatermarking and steganography principles to enhance theintegrity of biometric templates. Cancelable biometrics maybe used to “reset” the biometric template of a user in theevent that the user’s template is compromised. Also, biometriccryptosystems can contribute to template security bysupporting biometric matching in secure cryptographic domains.Smart cards are gaining popularity as the medium forstoring biometric templates. As the amount of availablememory increases (e.g., state-of-the-art smart cards have 64-KByte EEPROM), there is a propensity to store more informationin the template. This increases the risks associatedwith template misuse. As a result, the issue of template securityand integrity continues to pose several challenges, and itis necessary that further research be conducted in this direction.REFERENCES[1] A. K. Jain, R. Bolle, and S. Pankanti, eds., Biometrics:Personal Identification in Networked Society. KluwerAcademic Publishers, 1999.[2] D. Maltoni, D. Maio, A. K. Jain, and S. Prabhakar,Handbook of Fingerprint Recognition. Springer-Verlag, 2003.[3] U. Uludag and A. K. Jain, “Attacks on biometric systems:a case study in fingerprints,” in Proc. SPIE, Security,Seganography and Watermarking of MultimediaContents VI, vol. 5306, pp. 622–633, (San Jose, CA),January 2004.[4] N. Ratha, J. H. Connell, and R. M. Bolle, “An analysisof minutiae matching strength,” in Proc. Audio andVideo-based Biometric Person Authentication (AVBPA),pp. 223–228, (Halmstad, Sweden), June 2001.[5] U.K. Biometric Working Group, “Biometric securityconcerns,” Technical Report, CESG, September 2003,http://www.cesg.gov.uk/site/ast/biometrics/media/ BiometricSecurityConcerns.pdf.[6] A. Adler, “Can images be regenerated from biometrictemplates?,” in Biometrics Consortium Conference,(Arlington, VA), September 2003.[7] C. J. Hill, “Risk of masquerade arising fromthe storage of biometrics,” B.S. Thesis, AustralianNational University, November 2001,http://chris.fornax.net/biometrics.html.[8] A. Ross, J. Shah, and A. K. Jain, “Towards reconstructingfingerprints from minutiae points,” in Proc.SPIE, Biometric Technology for Human IdentificationII, vol. 5779, pp. 68–80, (Orlando, FL), March 2005.[9] R. Cappelli, R. Erol, D. Maio, and D. Maltoni, “Syntheticfingerprint-image generation,” in Proc. Int’l.Conf. Pattern Recognition (ICPR), vol. 3, pp. 475–478,(Barcelona, Spain), September 2000.[10] C. Soutar, “Biometric system security,” White Paper,Bioscrypt, http://www.bioscrypt.com.[11] A. Adler, “Images can be regenerated from quantizedbiometric match score data,” in Proc. Canadian Conf.Electrical Computer Eng., pp. 469–472, (Niagara Falls,Canada), May 2004.[12] M. Yeung and S. Pankanti, “Verification watermarks onfingerprint recognition and retrieval,” in Proc. SPIE,Security and Watermarking of Multimedia Contents,vol. 3657, pp. 66–78, (San Jose, USA), January 1999.[13] A. K. Jain and U. Uludag, “Hiding biometric data,”IEEE Trans. Pattern Anal. Mach. Intelligence, vol. 25,no. 11, pp. 1493–1498, 2003.[14] L. C. Ferri, A. Mayerhofer, M. Frank, C. Vielhauer,and R. Steinmetz, “Biometric authentication for IDcards with hologram watermarks,” in Proc. SPIE, Securityand Watermarking of Multimedia Contents IV,vol. 4675, pp. 629–640, (Bellingham, WA), January2002.[15] N. Ratha, J. Connell, and R. bolle, “Enhancing securityand privacy in biometrics-based authentication systems,”IBM Systems Journal, vol. 40, no. 3, pp. 614–634, 2001.[16] U. Uludag, S. Pankanti, S. Prabhakar, and A. K. Jain,“Biometric cryptosystems: issues and challenges,” Proceedingsof the IEEE, vol. 92, no. 6, pp. 948–960, 2004.[17] U. Uludag, S. Pankanti, and A. K. Jain, “Fuzzy vaultfor fingerprints,” To appear in Proc. Audio- and VideobasedBiometric Person Authentication (AVBPA), (RyeBrook, NY), July 2005.